b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                 Sensitive Data Remain at Risk From the Use\n                    of Unauthorized Wireless Technology\n\n\n\n                                          March 28, 2007\n\n                              Reference Number: 2007-20-060\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           March 28, 2007\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n                CHIEF, MISSION ASSURANCE AND SECURITY SERVICES\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Sensitive Data Remain at Risk From the Use of\n                             Unauthorized Wireless Technology (Audit # 200620029)\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS) wireless\n security policy and program. The overall objective of this follow-up review was to determine\n whether IRS assets are at risk from the use of unapproved wireless network devices. We also\n evaluated the security controls over the one IRS-approved wireless network. In addition, we\n determined whether existing wireless networks were properly approved and securely\n implemented and whether IRS employees or contractors were installing unapproved wireless\n networks. This audit was part of the statutory audit coverage under the Information Systems\n Programs and is included in the Treasury Inspector General for Tax Administration Fiscal\n Year 2006 Annual Audit Plan.\n\n Impact on the Taxpayer\n The use of wireless technology is growing at a phenomenal rate because of its convenience,\n affordability, and mobility; however, the use of wireless technology also poses significant\n security risks. We identified an unauthorized wireless device in one location and had strong\n indications of three other wireless devices at other locations. If unauthorized wireless devices\n are installed and connected to the IRS network, sensitive financial data for over 226 million\n taxpayers could be at risk.\n\n Synopsis\n Wireless technology is based on sending radio-wave transmissions through the air between two\n points, usually a user laptop computer and a predefined access point that can be connected back\n\x0c                   Sensitive Data Remain at Risk From the Use of Unauthorized\n                                     Wireless Technology\n\n\n\nto the organization\xe2\x80\x99s network to allow for full functionality and access to all computer resources.\nWireless signals can be intercepted by anyone in close proximity with inexpensive, readily\navailable equipment. Although encryption is available for wireless traffic, it has proven to be\nweak, and free software is widely available on the Internet to break this encryption.\nIn February 2003, we issued a report1 that addressed the IRS\xe2\x80\x99 actions to control and secure the\nuse of wireless technology. We reported an unauthorized wireless application in one location\nwas directly connected to the IRS-wide internal network containing sensitive taxpayer\ninformation, and we had strong indications of another unauthorized wireless application at\nanother location. We recommended the IRS immediately disconnect all unapproved wireless\nnetworks, issue policies and procedures for the use of wireless technology, and ensure wireless\nscanning efforts include sufficient geographic coverage.\nTo correct the deficiencies we reported, the IRS disconnected the unauthorized wireless network\nand developed a comprehensive wireless security policy that requires the Mission Assurance and\nSecurity Services organization to approve all requests for deploying wireless networks and\ndevices. In addition, the IRS has scanned offices to search for unauthorized wireless devices.\nAlthough the IRS took several corrective actions, in this review we identified similar weaknesses\nthat could jeopardize sensitive taxpayer systems and information.\nWe scanned 20 IRS buildings in 10 cities using inexpensive wireless equipment and software\nfreely available on the Internet. During our scanning efforts, we identified an unauthorized\nwireless device in one location and had strong indications of three other wireless devices in other\nlocations. The wireless access point we located was not directly connected to the IRS network.\nHowever, anyone with a wireless detection tool could pick up the wireless signal and gain access\nto the computer. Also, if an employee connected to the access point with an IRS computer, and\nthe access point was configured improperly, a hacker conceivably could gain access to the IRS\nnetwork.\nThe IRS is currently attempting to detect unauthorized access points on an ad hoc basis, with\nlimited success. As of May 2006, it had scanned fewer than 6 percent of all IRS locations and\nhad concentrated mainly on the Washington, D.C., and Baltimore, Maryland, areas. We believe\nthis scanning is of limited value, considering wireless access points can be set up easily\nanywhere in the nation and can place the confidentiality of the data at risk.\nThe IRS has one authorized wireless network; it is located in Bloomington, Illinois. The\nEnterprise Logistics Information Technology (ELITE) network is used to receive, store, and\ndistribute IRS published products; it is considered by the IRS to be a low security risk. The IRS\nComputer Security Incident Response Center conducted penetration tests of the ELITE\nnetwork\xe2\x80\x99s wireless infrastructure in January and February 2006 to ensure it was securely\n\n1\n Use of Unapproved Wireless Technology Puts Sensitive Data at Risk (Reference Number 2003-20-056, dated\nFebruary 2003).\n                                                                                                          2\n\x0c                    Sensitive Data Remain at Risk From the Use of Unauthorized\n                                      Wireless Technology\n\n\n\nconfigured. The tests identified that one wireless access point was using a default configuration,\nsecurity devices were not in place to detect attacks against the ELITE wireless network, and\nsecurity configurations were not being monitored. The IRS took immediate action to correct the\ndefault configuration and installed a network intrusion prevention system for the ELITE wireless\nnetwork. However, the Enterprise Networks Division has not installed the software required to\ncontinuously monitor the configuration files of the wireless devices due to other higher priorities.\n\nRecommendations\nTo detect and deter employees from installing unauthorized wireless access points, we\nrecommended the Chief, Mission Assurance and Security Services, use available tools to\nproactively scan, on a continuous basis, the entire IRS network for unapproved wireless devices\nand periodically advise employees of the risk involved with wireless technology. The risk and\nconsequences for violating the current wireless policy should also be included in the IRS\xe2\x80\x99 annual\nsecurity awareness training. In addition, the Chief Information Officer should ensure the\nEnterprise Networks Division takes appropriate action to monitor and track the configuration\nfiles on the ELITE wireless network to ensure all files are set in accordance with current policy.\n\nResponse\nThe IRS agreed with all of our recommendations. The Mission Assurance and Security Services\norganization established a monthly wireless scanning project, initiated monthly scans in\nNovember 2006 that included the nine IRS campuses2 and three IRS Computing Centers, and\nwill expand the number of locations scanned after performing a risk-based evaluation. In\naddition, the Mission Assurance and Security Services organization will include information\nabout the IRS wireless policy, risks associated with wireless technology, and the consequences\nfor policy violations in the mandatory annual security awareness training. The Enterprise\nNetworks Division is currently working with the Mission Assurance and Security Services\norganization to fully assess and manage the ELITE network devices to ensure all configurations\nadhere to IRS standards. Management\xe2\x80\x99s complete response to the draft report is included as\nAppendix V.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nat (202) 622-8510.\n\n2\n  Campuses are the data processing arm of the IRS. The campuses process paper and electronic submissions, correct\nerrors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts. Computing\nCenters support tax processing and information management through a data processing and telecommunications\ninfrastructure.\n                                                                                                               3\n\x0c                        Sensitive Data Remain at Risk From the Use of Unauthorized\n                                          Wireless Technology\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Corrective Actions Were Taken; However, We Continue to Locate\n          Unauthorized Wireless Devices....................................................................Page 3\n                    Recommendations 1 and 2: ................................................Page 5\n\n          Most Corrective Actions Have Been Taken to Ensure Adequate\n          Security of the Enterprise Logistics Information Technology\n          Wireless Network..........................................................................................Page 6\n                    Recommendation 3:..........................................................Page 7\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objectives, Scope, and Methodology.......................Page 8\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 10\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 11\n          Appendix IV \xe2\x80\x93 Locations Scanned for Wireless Devices.............................Page 12\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to Draft Report .............................Page 13\n\x0c        Sensitive Data Remain at Risk From the Use of Unauthorized\n                          Wireless Technology\n\n\n\n\n                      Abbreviations\n\nCSIRC           Computer Security Incident Response Center\nELITE           Enterprise Logistics Information Technology\nIRS             Internal Revenue Service\n\x0c                    Sensitive Data Remain at Risk From the Use of Unauthorized\n                                      Wireless Technology\n\n\n\n\n                                          Background\n\nThe use of wireless technology is growing at a phenomenal rate because of its convenience,\naffordability, and mobility. These benefits that make wireless technology so useful and\nattractive to its users also pose significant security risks.\nWireless technology is based on sending radio-wave\ntransmissions through the air between two points,                 Ninety-five percent of corporate\nusually a user laptop computer and a predefined access          laptop computers shipped in 2005\n                                                                    were equipped for wireless\npoint that can be connected back to the organization\xe2\x80\x99s                       operation.\nnetwork to allow for full functionality and access to all\ncomputer resources. Wireless signals can be intercepted\nby anyone in close proximity with inexpensive, readily available equipment. Although\nencryption is available for wireless traffic, it has proven to be weak. Free software is widely\navailable on the Internet to break this encryption.\nLoosely organized hacker and investigative groups have been scanning metropolitan areas for\nwireless technology for some time. Commonly referred to as \xe2\x80\x9cwar driving,\xe2\x80\x9d this activity has\nmore recently been extended to hackers posting information on locations of insecure wireless\nnetworks for others to potentially exploit.\nThe Privacy Rights Clearinghouse1 reports that personal information of over 100 million\nAmericans has been compromised since February 2005.\nMore than 50 percent of the damage came from                  Sensitive financial data for over\nintruders who were not authorized to access the               226 million taxpayers\xe2\x80\x99 accounts\ninformation, several of whom used wireless attacks. For      could be at risk if an unapproved\nthe Internal Revenue Service (IRS), the security risks      wireless device was installed and\nassociated with wireless technology mainly involve the         connected to the IRS network.\nimproper access to and unauthorized disclosure of\nsensitive taxpayer data.\nIn February 2003, we issued a report2 that addressed the IRS\xe2\x80\x99 actions to control and secure the\nuse of wireless technology. We reported an unauthorized wireless application in one location\nwas directly connected to the IRS-wide internal network containing sensitive taxpayer\ninformation, and we had strong indications of another unauthorized wireless application at\nanother location, although we were unable to locate a wireless device.\n\n1\n  The Privacy Rights Clearinghouse is a nonprofit consumer organization with a two-part mission: consumer\ninformation and consumer advocacy.\n2\n  Use of Unapproved Wireless Technology Puts Sensitive Data at Risk (Reference Number 2003-20-056, dated\nFebruary 2003).\n                                                                                                       Page 1\n\x0c                  Sensitive Data Remain at Risk From the Use of Unauthorized\n                                    Wireless Technology\n\n\n\nAs of January 2007, the IRS had only one approved wireless network, the Enterprise Logistics\nInformation Technology (ELITE) network, which is an integrated, web-based, real-time system\nused to receive, store, and distribute IRS published products at the National Distribution Center\nin Bloomington, Illinois. The ELITE network, specifically used for order management,\ninventory management, and distribution of products, is designated by the IRS as a low security\nrisk.\nWe performed the review at the offices of the Chief Information Officer and the Chief, Mission\nAssurance and Security Services, in Washington, D.C., and at IRS offices located in Dallas,\nFort Worth, and Houston, Texas; Plantation, Miami, and West Palm Beach, Florida;\nDenver, Colorado; Portland, Oregon; Atlanta, Georgia; and Bloomington, Illinois, during the\nperiod April through November 2006. The audit was conducted in accordance with Government\nAuditing Standards. Detailed information on our audit objectives, scope and methodology is\npresented in Appendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                            Page 2\n\x0c                     Sensitive Data Remain at Risk From the Use of Unauthorized\n                                       Wireless Technology\n\n\n\n\n                                      Results of Review\n\nIn our February 2003 report, we recommended the IRS immediately disconnect all unapproved\nwireless networks, issue policies and procedures for the use of wireless technology, and ensure\nwireless scanning efforts include sufficient geographic coverage. To correct the deficiencies we\nreported, the IRS disconnected the unauthorized wireless network and took several other\ncorrective actions. However, in this review we identified similar weaknesses that could\njeopardize sensitive taxpayer systems and information.\n\nCorrective Actions Were Taken; However, We Continue to Locate\nUnauthorized Wireless Devices\nBased on the prior report recommendations, the IRS developed a comprehensive wireless\nsecurity policy consistent with standards, best practices, and guidance from the Department of\nthe Treasury, the National Institute of Standards and Technology,3 and the United States\nGovernment Accountability Office and issued the policy in March 2006. The policy\nincorporated guidance from some of the industry security leaders such as the Department of\nDefense, Defense Information System Agency,4 and Center for Internet Security.5 The policy\nrequires that the IRS Mission Assurance and Security Services organization approve all requests\nfor deploying wireless networks and devices. All authorized wireless systems must be certified\nand accredited by the IRS Modernization and Information Technology Services and the Mission\nAssurance and Security Services organizations.\nTo complement the wireless security policy, the IRS Computer Security Incident Response\nCenter (CSIRC)6 and the Treasury Inspector General for Tax Administration Office of\nInvestigations System Intrusion Network Attack Response Team jointly conduct periodic scans\nto detect any unauthorized wireless devices at selected IRS facilities. Over the last several years,\nthey have conducted approximately 30 wireless scans mainly in and around Washington, D.C.,\nincluding the New Carrollton Federal Building and Baltimore, Maryland, field offices. Other\nlocations were scanned based on allegations from either the IRS or Treasury Inspector General\n\n3\n  The National Institute of Standards and Technology\xe2\x80\x99s mission is to promote United States innovation and\nindustrial competitiveness by advancing measurement science, standards, and technology in ways that enhance\neconomic security and improve our quality of life.\n4\n  An agency in the Department of Defense responsible for developing, operating, and supporting information\nsystems to serve the needs of the President, the Secretary of Defense, and the Joint Chiefs of Staff.\n5\n  A nonprofit enterprise whose mission is to help organizations reduce the risk of business and electronic commerce\ndisruptions resulting from inadequate technical security controls.\n6\n  Designed to ensure the IRS has a team of capable \xe2\x80\x9cfirst responders\xe2\x80\x9d who are organized, trained, and equipped to\nidentify, contain, and eradicate cyber threats targeting IRS computers and data.\n                                                                                                            Page 3\n\x0c                       Sensitive Data Remain at Risk From the Use of Unauthorized\n                                         Wireless Technology\n\n\n\nfor Tax Administration employees. Through their joint efforts, one unapproved wireless access\npoint connected to the IRS network was detected in an office in Dallas, Texas.\nWe scanned 20 IRS buildings in 10 cities using inexpensive wireless equipment and software7\nfreely available on the Internet. During our scanning efforts, we identified an unauthorized\nwireless device in one location and had strong indications of three other wireless devices at other\nlocations. Appendix IV includes a complete list of the locations we scanned for wireless\ndevices.\nThe IRS Criminal Investigation Division in Denver, Colorado, had connected one unauthorized\nwireless access point to a desktop computer\n(see Figures 1 and 2). The device was not connected to\nthe IRS\xe2\x80\x99 network but had its own Digital Subscriber\nLine (commonly known as DSL)8 connected to it. The\nformer Director, Special Investigative Techniques\nDivision, approved the purchase of the device. The\nDenver Criminal Investigation Division Lead\nDevelopment Center uses the device to log onto the            Figure 1: Wireless access point.\nInternet as an undercover computer to assist with investigations. The device was originally\ninstalled with the wireless features turned off by default; so someone within the office configured\nthe device for wireless capabilities. Neither of the two system administrators could explain to us\nwhy the wireless features were turned on, only that the device is rarely used. However, on the\nmorning we scanned the office, the wireless device was activated and operating, and when we\nreturned in the afternoon, it had been turned off. The system administrators stated they were\naware of the IRS\xe2\x80\x99 wireless security policy but did not believe they had violated the policy\nbecause the wireless access point was not connected to a computer on the IRS network.\n                                              Although the wireless access point was not directly\n                                              connected to the IRS network, our concern is that anyone\n                                              with a wireless detection tool could pick up the wireless\n                                              signal and gain access to the computer. Also, if an\n                                              employee connected to the access point with an IRS\n                                              computer, and the access point was configured improperly,\n                                              a hacker conceivably could gain access to the IRS\n    Figure 2: Criminal Investigation          network. Once the device was located and identified, the\n    Division computer with wireless access    Treasury Inspector General for Tax Administration Office\n    point.                                    of Investigations was contacted to remove the wireless\n                                              access point and eliminate the vulnerability.\n\n\n7\n  We used Kismet, a free online tool used to detect the presence of both wireless access points and wireless clients\nand associate them to each other.\n8\n  A Digital Subscriber Line provides digital data transmission over the wires of a local telephone network.\n                                                                                                              Page 4\n\x0c                    Sensitive Data Remain at Risk From the Use of Unauthorized\n                                      Wireless Technology\n\n\n\nIn addition, we detected strong wireless signals at three\nother facilities but were unable to pinpoint where the\naccess points were located. The strength of the signals               We found strong indications of\n                                                                      wireless access points at three\nindicated some kind of wireless activity. We were                         different IRS locations.\nadvised that an unauthorized wireless access point was\nin use prior to our arrival in at least one location.\nCurrently, the IRS is attempting to detect unauthorized access points on an ad hoc basis, with\nlimited success. As of May 2006, it had scanned fewer than 6 percent of all IRS locations and\nhad concentrated mainly on the Washington, D.C., and Baltimore, Maryland, areas. We believe\nthis scanning is of limited value, considering wireless access points can be set up easily\nanywhere in the nation and can place the confidentiality of the data at risk. In addition, the IRS\nhas not used available tools that continuously monitor network traffic for malicious or accidental\nwireless activities. These tools can provide additional protection, regardless of the location, and\nprovide immediate detection. We also believe employees were not aware of the risks of\nestablishing wireless access points.\n\nRecommendations\nRecommendation 1: The Chief, Mission Assurance and Security Services, should use\navailable tools to proactively scan, on a continuous basis, the entire IRS network for unapproved\nwireless devices.\n        Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n        Mission Assurance and Security Services organization established a monthly wireless\n        scanning project, initiated monthly scans in November 2006 that included the nine IRS\n        campuses9 and three IRS Computing Centers, and will expand the number of locations\n        scanned after performing a risk-based evaluation.\nRecommendation 2: The Chief, Mission Assurance and Security Services, should\nperiodically advise employees of the risk involved with wireless technology. The risk and\nconsequences for violating the current wireless policy should also be included in annual security\nawareness training.\n        Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n        Mission Assurance and Security Services organization will include information about the\n        IRS wireless policy, risks associated with wireless technology, and the consequences for\n        policy violations in the mandatory annual security awareness training.\n\n\n9\n  Campuses are the data processing arm of the IRS. The campuses process paper and electronic submissions, correct\nerrors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts. Computing\nCenters support tax processing and information management through a data processing and telecommunications\ninfrastructure.\n                                                                                                         Page 5\n\x0c                 Sensitive Data Remain at Risk From the Use of Unauthorized\n                                   Wireless Technology\n\n\n\nMost Corrective Actions Have Been Taken to Ensure Adequate\nSecurity of the Enterprise Logistics Information Technology Wireless\nNetwork\nThe IRS has one authorized wireless network; it is located in Bloomington, Illinois. The ELITE\nnetwork is an integrated, web-based, real-time supply chain system used to receive, store, and\ndistribute IRS published products. The IRS considers it to be a low security risk. The current\nIRS wireless policy states all approved wireless networks shall adhere to specific security\nrequirements that include:\n   \xe2\x80\xa2   Wireless networks and devices transmitting Sensitive But Unclassified information shall\n       obtain certification and accreditation.\n   \xe2\x80\xa2   An intrusion detection system shall monitor the wireless environment and immediate\n       surrounding areas.\nThe CSIRC conducted penetration tests of the ELITE network\xe2\x80\x99s wireless infrastructure in\nJanuary and February 2006 to ensure it was securely configured, followed the current policy, and\nwas not susceptible to any known attacks. During its reviews, the CSIRC identified the\nfollowing issues:\n   \xe2\x80\xa2   One access point on the wireless network was still using its default configuration. The\n       IRS took immediate corrective action, making the necessary changes to ensure all access\n       points were properly and consistently configured. On March 9, 2006, the IRS certified\n       and accredited the ELITE wireless network and accepted the security risks identified.\n   \xe2\x80\xa2   Security devices were not in place to detect attacks against the ELITE wireless network.\n       Subsequently, in May 2006, the CSIRC installed a Network Intrusion Prevention System,\n       which automatically blocks malicious attacks against this wireless network. Potential\n       attacks are continuously monitored by the CSIRC.\n   \xe2\x80\xa2   Security configurations were not monitored on the ELITE wireless network. Inadvertent\n       or intentional changes to the security configurations could increase the likelihood that the\n       network could be compromised and operations disrupted. The CSIRC recommended the\n       Enterprise Networks Division within the Modernization and Information Technology\n       Services organization monitor the security configuration settings of the devices on the\n       wireless network. At the time of our review, the Enterprise Networks Division had not\n       installed the software required to continuously monitor the configuration files of the\n       wireless devices, as recommended, due to other higher priorities.\n\n\n\n\n                                                                                            Page 6\n\x0c                  Sensitive Data Remain at Risk From the Use of Unauthorized\n                                    Wireless Technology\n\n\n\nRecommendation\nRecommendation 3: The Chief Information Officer should ensure the Enterprise Networks\nDivision takes appropriate action to monitor and track the configuration files on the ELITE\nwireless network to ensure all files are set in accordance with the IRS wireless security policy.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       Enterprise Networks Division is currently working with the Mission Assurance and\n       Security Services organization to fully assess and manage the ELITE network devices to\n       ensure all configurations adhere to IRS guidelines, standards, and procedures.\n\n\n\n\n                                                                                            Page 7\n\x0c                 Sensitive Data Remain at Risk From the Use of Unauthorized\n                                   Wireless Technology\n\n\n\n                                                                                  Appendix I\n\n       Detailed Objectives, Scope, and Methodology\n\nThe overall objective for this follow-up review was to determine whether IRS assets are at risk\nfrom the use of unapproved wireless network devices. We also evaluated the security controls\nover the one IRS-approved wireless network. In addition, we determined whether existing\nwireless networks were properly approved and securely implemented and whether IRS\nemployees or contractors were installing unapproved wireless networks. To accomplish our\nobjective, we:\nI.     Determined whether the IRS had developed and implemented policies, procedures, and\n       guidance for the use of wireless technology.\n       A. Determined what corrective actions were taken on the recommendations from our\n          prior audit report entitled, Use of Unapproved Wireless Technology Puts Sensitive\n          Data at Risk (Reference Number 2003-20-056, dated February 2003).\n       B. Evaluated the current IRS Internal Revenue Manual, policies, procedures, and\n          wireless guidance.\n       C. Compared the IRS wireless policy and procedures to the Department of the Treasury,\n          National Institute of Standards and Technology, and other Federal Government\n          standards on wireless technology. We also compared them to private industry best\n          practices and recommended solutions.\nII.    Evaluated the security of the ELITE wireless network.\n       A. Reviewed approval documents to determine whether this wireless network was\n          properly approved and whether the documents covered security concerns over\n          wireless weaknesses.\n       B. Evaluated system reviews conducted by the CSIRC and other organizations to\n          identify whether problems with this wireless network have been previously identified.\n       C. Evaluated the logical and physical security protections of this wireless network.\nIII.   Determined whether any unauthorized wireless networks exist.\n       A. Contacted IRS management, the CSIRC, and the Treasury Inspector General for Tax\n          Administration System Intrusion Network Attack Response Team to determine the\n          locations of known approved wireless networks and devices and how often scans for\n          unapproved wireless services are performed, where these scans have been conducted,\n          and what the results have been.\n\n                                                                                          Page 8\n\x0c                     Sensitive Data Remain at Risk From the Use of Unauthorized\n                                       Wireless Technology\n\n\n\n         B. Remotely identified the number and types of wireless devices in use by performing a\n            Nessus Access Point scan1 of the entire IRS network.\n         C. Conducted 20 scans for wireless devices at a judgmental sample of IRS buildings in\n            10 different cities to identify unapproved wireless networks. The previous audit steps\n            provided an indicator of wireless devices that may reside on the IRS network. This\n            audit step was to determine the actual existences of the wireless devices. Selection of\n            the sites we scanned was based on the locations of approved wireless systems,\n            locations where wireless devices were identified in the past, and locations where\n            wireless devices appeared to exist based on the scan in Step III.B. A judgmental\n            sample was used because we were not planning to project our audit results. See\n            Appendix IV for a list of the locations we scanned.\n\n\n\n\n1\n Nessus is an open-source vulnerability assessment tool designed for Unix systems. In addition to identifying\nvulnerabilities in operating systems and applications, Nessus uses several techniques to identify unauthorized access\npoint devices.\n                                                                                                             Page 9\n\x0c                 Sensitive Data Remain at Risk From the Use of Unauthorized\n                                   Wireless Technology\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nKent Sagara, Acting Director\nThomas Polsfoot, Audit Manager\nEsther Wilson, Lead Auditor\nCharles Ekunwe, Senior Auditor\nCari Fogle, Senior Auditor\nGeorge Franklin, Senior Auditor\nJimmie Johnson, Senior Auditor\nLouis Lee, Senior Auditor\nJackie Nguyen, Senior Auditor\n\n\n\n\n                                                                                     Page 10\n\x0c                Sensitive Data Remain at Risk From the Use of Unauthorized\n                                  Wireless Technology\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief Information Officer OS:CIO\n       Chief, Mission Assurance and Security Services OS:MA\n       Director, Program Oversight Office OS:CIO:SM:PO\n\n\n\n\n                                                                       Page 11\n\x0c                   Sensitive Data Remain at Risk From the Use of Unauthorized\n                                     Wireless Technology\n\n\n\n                                                                               Appendix IV\n\n            Locations Scanned for Wireless Devices\n\nWe scanned 20 offices in 10 cities to identify unapproved wireless devices. The table below\npresents the list of office locations we scanned and the number of devices identified.\n\n         Cities                      Office Addresses                  Unapproved Wireless\n                                                                             Devices\n                                                                     Confirmed Unconfirmed\nDallas, Texas                 \xe2\x80\xa2   4050 Alpha Road\n                              \xe2\x80\xa2   1100 Commerce Street\nFort Worth, Texas             \xe2\x80\xa2   819 Taylor Street\nHouston, Texas                \xe2\x80\xa2   1919 Smith (Mickey Leland                              X\n                                  Building)\n                              \xe2\x80\xa2   8701 South Gessner                                     X\n                              \xe2\x80\xa2   12941 North IH-45\n                              \xe2\x80\xa2   8876 Gulf Freeway\nPlantation, Florida           \xe2\x80\xa2   7850 Southwest 6th Court                               X\n                              \xe2\x80\xa2   1000 South Pine Island Road\nMiami, Florida                \xe2\x80\xa2   51 Southwest First Avenue\nWest Palm Beach,              \xe2\x80\xa2   1700 Palm Beach Lakes\nFlorida                           Boulevard\nDenver, Colorado              \xe2\x80\xa2   600 17th Street                         X\n                              \xe2\x80\xa2   1244 Speer Boulevard\nPortland, Oregon              \xe2\x80\xa2   3rd Avenue (Federal Building)\n                              \xe2\x80\xa2   120 Main Street\nAtlanta, Georgia              \xe2\x80\xa2   2970 Brandywine Road\n                              \xe2\x80\xa2   401 West Peachtree Street\n                              \xe2\x80\xa2   6655 Peachtree-Dunwoody Road\n                              \xe2\x80\xa2   2888 Woodcock Boulevard\nBloomington, Illinois         \xe2\x80\xa2   2402 East Empire (National\n                                  Distribution Center)\n      Totals: 10                              20                          1              3\n\n\n                                                                                        Page 12\n\x0c    Sensitive Data Remain at Risk From the Use of Unauthorized\n                      Wireless Technology\n\n\n\n                                                    Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                          Page 13\n\x0cSensitive Data Remain at Risk From the Use of Unauthorized\n                  Wireless Technology\n\n\n\n\n                                                      Page 14\n\x0cSensitive Data Remain at Risk From the Use of Unauthorized\n                  Wireless Technology\n\n\n\n\n                                                      Page 15\n\x0cSensitive Data Remain at Risk From the Use of Unauthorized\n                  Wireless Technology\n\n\n\n\n                                                      Page 16\n\x0c'